Best Practice on Password Rotation?

Some time ago when CA was helping us solve an issue with password rotation. We were informed that a best practice would be setting up a service account to rotate passwords; rather than, a scheduled job within the CA application.

Can you confirm that you are using CA Server Automation? This is the community for CA Server Automation. If not, can you confirm which product you are asking this question for? Based on that I will get this thread to the appropriate community.

1) Yes, we would generally recommend that you use a service account to allow for passwords to be changed on Windows, when using the Windows Proxy.

2) Once 1 has been set up, you can then set up scheduled jobs (or use any other method of password change as required) from CA PAM.

Without a properly privileged account set as the running user for the Windows PAM Proxy service it would not be able to change passwords. See the doc link below for more information on this including the permissions & account types required for various situations: